| Errata ID | 392 |
|---|---|
| Date | 2018-05-08 |
| Source package | postgresql-9.4 |
| Fixed in version | 9.4.15-0+deb8u1 |
| Description | This update addresses the following issues: * PostgreSQL runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server. (CVE-2017-12172) * Invalid json_populate_recordset or jsonb_populate_recordset function calls can crash the server or disclose a few bytes of server memory. (CVE-2017-15098) |
| Additional notes | |
| CVE ID | CVE-2017-12172 CVE-2017-15098 |
| UCS Bug number | #45752 #45753 |
